Has O2 PUK'd up mobile phone security?

O2 is offering users a quick and easy way to unlock mobile phones with a personal unblocking code (PUK) which they can get online simply by typing their mobile number into the O2 website.

The website then generates the PUK code and, while that takes the headache out of dealing with call centres for users desperate to access their mobile after it becomes locked, it has raised some concerns about security as users only have to know the phone number - and it doesn't have to be their own phone.

Security expert Bruce Schneier, posting on his blog raised concerns that the system could pose a threat. "Now anyone on the internet can visit this website, type in a valid mobile telephone number, and get a valid PUK to reset the PIN - without any authentication whatsoever," he said.

The easiest breach to achieve would be when somebody steals a mobile phone from a person whose number they already know - in an environment such as a school or more worryingly an office where converged devices such as an XDA may hold a lot of sensitive corporate data.

Less simple would be when the thief doesn't know the mobile number. However, if they have snatched a coat, handbag or wallet as well, the contents may include an item such as a business card that can betray the mobile phone number.

But a spokesman for O2 told silicon.com this represents a very small security risk, far outweighed by the ease of use which will benefit customers.

The O2 spokesman said: "The vast majority of mobile phones which are stolen are already on, providing a window of opportunity to make calls between the phone being stolen and reported stolen.

"You're only ever asked for a PIN code when the phone is already switched off."

He added that the system is there to help users whose phones are accidentally locked, or in some cases are locked by a friend changing a PIN number as a joke. He said the benefits of such a straightforward system far outweigh "a very small security risk".